What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-03-01 20:25:32 | (Déjà vu) GCP-2023-001 (lien direct) | Published: 2023-03-01Description Description Severity Notes A new vulnerability (CVE-2022-4696) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2022-4696 | Vulnerability Guideline | ★★★ | |
|
2022-12-21 17:12:56 | GCP-2022-019 (lien direct) | Published: 2022-09-22Description Description Severity Notes A message parsing and memory management vulnerability in ProtocolBuffer's C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message. This could lead to a denial of service (DoS) on services using the libraries. What should I do? Ensure that you're using the latest versions of the following software packages: protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6) protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6) What vulnerabilities are addressed by this patch? The patch mitigates the following vulnerability: A specially constructed small message that causes the running service to allocate large amounts of RAM. The small size of the request means that it is easy to take advantage of the vulnerability and exhaust resources. C++ and Python systems that consume untrusted protobufs would be vulnerable to DoS attacks if they contain a MessageSet object in their RPC request. Medium CVE-2022-1941 | Vulnerability Guideline | ★★★ | |
|
2022-12-21 17:12:56 | (Déjà vu) GCP-2022-021 (lien direct) | Published: 2022-10-27Updated: 2022-12-15Description Description Severity Notes 2022-12-15 Update: Updated information that version 1.21.14-gke.9400 of Google Kubernetes Engine is pending rollout and may be superseded by a higher version number. 2022-11-22 Update: Added patch versions for Anthos clusters on VMware, Anthos clusters on AWS, and Anthos on Azure. A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2022-3176 | Vulnerability Guideline | Uber | ★★★ |
|
2022-12-21 17:12:56 | GCP-2022-014 (lien direct) | Published: 2022-04-26 Updated: 2022-11-22Description Description Severity Notes 2022-11-22 Update: GKE Autopilot clusters and workloads running in GKE Sandbox are unaffected. 2022-05-12 Update: The Anthos clusters on AWS and Anthos on Azure versions have been updated. For instructions and more details, see the:Anthos clusters on AWS security bulletin Anthos on bare metal security bulletin Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). For instructions and more details, see the following security bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2022-1055 CVE-2022-27666 | Guideline | Uber | ★★★ |
|
2022-12-21 17:12:56 | (Déjà vu) GCP-2022-024 (lien direct) | Published: 2022-11-09Updated: 2022-12-16Description Description Severity Notes 2022-12-16 Update: Added patch versions for GKE and Anthos clusters on VMware. Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2022-2585 CVE-2022-2588 | Guideline | ★★★ | |
|
2022-12-21 17:12:56 | GCP-2022-002 (lien direct) | Published:Updated:Description Description Severity Notes 2022-02-25 Update: The GKE versions have been updated. For instructions and more details, see the: GKE security bulletin 2022-02-23 Update: The GKE and Anthos clusters on VMware versions have been updated. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin 2022-02-04 Update: The rollout start date for GKE patch versions was February 2. Note: Your clusters might not have these versions available immediately. Rollouts began on February 2 and take four or more business days to be completed across all Google Cloud zones. Three security vulnerabilities, CVE-2021-4154, CVE-2021-22600, and CVE-2022-0185, have been discovered in the Linux kernel, each of which can lead to either a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all node operating systems (COS and Ubuntu) on GKE, Anthos clusters on VMware, Anthos clusters on AWS (current and previous generation), and Anthos on Azure. Pods using GKE Sandbox are not vulnerable to these vulnerabilities. See the COS release notes for more details. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin High CVE-2021-4154 CVE-2021-22600 CVE-2022-0185 | Guideline | Uber | ★★★ |
|
2022-12-21 17:12:56 | (Déjà vu) GCP-2022-018 (lien direct) | Published: 2022-08-01Updated: 2022-09-14Description Description Severity Notes 2022-09-14 Update: Added patch versions for Anthos clusters on VMware, Anthos clusters on AWS, and Anthos on Azure. A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletinHigh CVE-2022-2327 | Vulnerability Guideline | ★★★ | |
|
2022-12-21 17:12:56 | GCP-2022-008 (lien direct) | Published: 2022-02-23 Updated: 2022-04-28Description
Description
Severity
Notes
2022-04-28 Update: Added versions of Anthos clusters on VMware that fix these vulnerabilities. For details, see the Anthos clusters on VMware security bulletin. The Envoy project recently discovered a set of vulnerabilities. All issues listed below are fixed in Envoy release 1.21.1. CVE-2022-23606: When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was erroneously introduced in Envoy version 1.19 to the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections. CVE-2022-21655: Envoy's internal redirect code assumes that a route entry exists. When an internal redirect is done to a route which has a direct response entry and no route entry, it results in dereferencing a null pointer and crashing. CVE-2021-43826: When Envoy is configured to use tcp_proxy which uses upstream tunneling (over HTTP), and downstream TLS termination, Envoy will crash if the downstream client disconnects during the TLS handshake while the upstream HTTP stream is still being established. The downstream disconnect can be either client or server initiated. The client can disconnect for any reason. The server may disconnect if, for example, it has no TLS ciphers or TLS protocol versions compatible with the client. It may be possible to trigger this crash in other downstream configurations as well. CVE-2021-43825: Sending a locally generated response must stop further processing of request or response data. Envoy tracks the amount of buffered request and response data and aborts the request if the amount of buffered data is over the limit by sending 413 or 500 responses. However when locally generated response is sent because of the internal buffer overflows while response is processed by the filter chain the operation may not be aborted correctly and result in accessing a freed memory block. CVE-2021-43824: Envoy crashes when using the JWT filter with a "safe_regex" match rule and a specially crafted request like "CONNECT host:port HTTP/1.1". When reaching the JWT filter, a "safe_regex" rule should evaluate the URL path but there is none here, and Envoy crashes with segfaults. CVE-2022-21654: Envoy would incorrectly allow TLS session resumption after mTLS validation settings had been reconfigured. If a client certificate was allowed with the old configuration but disallowed with the new configuration, the client could resume the previous TLS session even though the current configuration should disallow it. Changes to the following settings are affected: match_subject_alt_names CRL changes allow_expired_certificate Trust_chain_verification only_verify_leaf_cert_crl CVE-2022-21657: Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS ser |
Guideline | ★★★ |
1
We have: 8 articles.
We have: 8 articles.
To see everything:
Our RSS (filtrered)
